b"U.S. Department of                      The Inspector General   Office of Inspector General\nTransportation                                                  Washington, DC 20590\nOffice of the Secretary\nof Transportation\n\n\n\n\nAugust 5, 2010\n\n\n\nThe Honorable John L. Mica\nRanking Member\nCommittee on Transportation and Infrastructure\nU.S. House of Representatives\nWashington, DC 20515\n\nThe Honorable Thomas Petri\nRanking Member\nSubcommittee on Aviation\nCommittee on Transportation and Infrastructure\nU.S. House of Representatives\nWashington, DC 20515\n\nDear Ranking Members Mica and Petri:\n\nThis letter is in response to your June 10, 2009, roundtable discussion regarding the\nair traffic control (ATC) system's vulnerability to cyber attack. During the meeting,\nyou requested that my office review the Federal Aviation Administration\xe2\x80\x99s (FAA's)\nprogress in implementing the five recommendations from our May 4, 2009, report:\nReview of Web Applications Security and Intrusion Detection in Air Traffic Control\nSystems.\n\nIn short, FAA has implemented all recommendations except one\xe2\x80\x93\xe2\x80\x93deployment of\nintrusion detection devices to protect ATC system operations. The following table\nsummarizes the status of each recommendation.\n\x0c                                                                                                                       2\n\n\n                             Recommendations                            Status\n        1. Ensure that all Web applications used in the Air Traffic Complete\n           Control (ATC) systems are configured in compliance with\n           Government security standards.\n        2. Strengthen the patch management process by (a) identifying Complete\n           Web applications with known vulnerabilities, and (b)\n           promptly installing relevant security patches in a timely\n           manner.\n        3. Take immediate action to correct high-risk vulnerabilities Complete\n           and establish a timetable for remediation of all remaining\n           vulnerabilities identified during this audit.\n        4a. Resolve differences with the Cyber Security                                             Complete\n            Management Center (CSMC).\n        4b. Establish a timetable for deploying intrusion-detection                                 Open\n            system (IDS) monitoring devices covering local area\n            networks at all ATC facilities.\n        5. In conjunction with CSMC officials, identify the                                         Complete\n            information needed for remediation and establish\n            procedures to ensure timely remediation of cyber incidents\n            based on incident criticality as assessed by CSMC.\n\nFAA originally agreed to develop an IDS deployment strategy for all ATC facilities\nby December 2009 and complete deployment of IDS capabilities at facilities housing\nthe ARTS IIIE 1 by February 2010. Currently, FAA has completed installation at 7 of\nthe 11 ARTS IIIE facilities. FAA has delayed deploying the remaining four ARTS\nIIIE facilities until January 2011 because critical ARTS IIIE system-wide software\nupgrades have a priority over IDS installation. FAA has not yet established a\ntimetable for deploying IDS at the remaining ATC facilities. Without IDS\ncapabilities, FAA cannot effectively monitor ATC systems for possible cyber attacks\nor take action to stop them. We have discussed our concerns with FAA\xe2\x80\x99s action plan\nwith the Chief Information Officers for the Department and FAA and have discussed\nthe significant delays in implementing IDS at remaining facilities with Air Traffic\nOrganization (ATO) senior management. ATO management is developing an\nimplementation strategy to address this issue but could not provide a timetable beyond\nthe ARTS IIIE facilities. We will continue to monitor FAA\xe2\x80\x99s progress in this area and\nkeep you apprised of any significant changes.\n\n\n\n\n1\n    Automated Radar Terminal System IIIE is a sophisticated computer system used by controllers at major U.S. airports to\n    detect, track, and predict aircraft positions.\n\x0c                                                                                3\n\n\nThank you for your inquiry and interest. If you have any questions or need further\ninformation, please contact me at (202) 366-1959 or Louis King, Acting Assistant\nInspector General for Financial and Information Technology Audits, at (202) 366-\n1407.\n\n\nSincerely,\n\n\n\n\nCalvin L. Scovel III\nInspector General\n\x0c"